> > I do: > > iptables -t nat -A PREROUTING -p udp -j LOG --log-prefix "PREROUTING: " > > iptables -t filter -A INPUT -p udp -j LOG --log-prefix "INPUT: " > > (I'm logged in that box via ssh, so I prefer not to do -p all) > > There are no more rules than these ones. > > In the log I see the INPUT ones but not the PREROUTING (only see on > > PREROUTING packets to port 137, maybe some worm...) > That's very strange. You said in your first post that you had a udp proxy > running. Is it on this box? I'm not sure at what level a proxy hooks into the > box, but I know that some programs read the data stream before netfilter sees > it. If the proxy is in front of netfilter then netfilter would never see > those packets. The port 137 packets are prolly just internet garbage. The proxy has a udp socket bound to port 5000, and another udp socket bound to some other port, it reads from the first socket and does a sendto using the other socket (poll + read + write, no more) > > > You should see tons output in /var/log/messages including the packets > > > you're looking for. If the packets aren't there, then they aren't making > > > it to the box. > > But the packets got to the INPUT rule, that should be after PREROUTING. And > > got to my socket. > Can you show these log entries? I don't even know how that could happen. Maybe > someone else has some ideas. Dec 14 15:57:22 ivrip kernel: INPUT: IN=eth0 OUT= MAC=00:0a:e6:fa:c6:09:00:09:12:2b:5e:fd:08:00 SRC =200.61.169.146 DST=200.68.94.100 LEN=60 TOS=0x00 PREC=0xA0 TTL=251 ID=17815 PROTO=UDP SPT=17314 DP T=5000 LEN=40 Dec 14 15:57:23 ivrip last message repeated 47 times Dec 14 15:57:23 ivrip kernel: INPUT: IN=eth0 OUT= MAC=00:0a:e6:fa:c6:09:00:09:12:2b:5e:fd:08:00 SRC =200.61.169.146 DST=200.68.94.100 LEN=41 TOS=0x00 PREC=0xA0 TTL=251 ID=17855 PROTO=UDP SPT=17314 DP T=5000 LEN=21 Lots of those. Only very sporadic, non related PREROUTING ones, like: Dec 14 15:57:58 ivrip kernel: PREROUTING: IN=eth0 OUT= MAC=00:0a:e6:fa:c6:09:00:09:12:2b:5e:fd:08:0 0 SRC=217.126.141.13 DST=200.68.94.100 LEN=78 TOS=0x00 PREC=0x00 TTL=108 ID=31313 PROTO=UDP SPT=566 66 DPT=137 LEN=58 iptables-save says: # Generated by iptables-save v1.2.9 on Sun Dec 14 15:59:05 2003 *nat :PREROUTING ACCEPT [1474:107026] :POSTROUTING ACCEPT [19:2376] :OUTPUT ACCEPT [19:2376] -A PREROUTING -p udp -j LOG --log-prefix "PREROUTING: " COMMIT # Completed on Sun Dec 14 15:59:05 2003 # Generated by iptables-save v1.2.9 on Sun Dec 14 15:59:05 2003 *filter :INPUT ACCEPT [28639:3847013] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [26167:3457193] -A INPUT -p udp -j LOG --log-prefix "INPUT: " COMMIT # Completed on Sun Dec 14 15:59:05 2003 (Note that filter INPUT saw 28639 packets and PREROUTING just 1474 since last boot) > Jeff Saludos, HoraPe --- Horacio J. Peņa horape@xxxxxxxxxxxxxxxxx horape@xxxxxxxxxx
